1 /* 2 * Copyright 2019 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #pragma once 18 19 #include <fuzzer/FuzzedDataProvider.h> 20 #include <stddef.h> 21 #include <stdint.h> 22 23 #include <vector> 24 25 #include "hci/fuzz/status_vs_complete_commands.h" 26 #include "hci/hci_layer.h" 27 #include "hci/hci_packets.h" 28 #include "module.h" 29 #include "os/fuzz/dev_null_queue.h" 30 #include "os/fuzz/fuzz_inject_queue.h" 31 32 namespace bluetooth { 33 namespace hci { 34 namespace fuzz { 35 36 class HciLayerFuzzClient : public Module { 37 public: HciLayerFuzzClient()38 HciLayerFuzzClient() : Module() {} 39 40 void Start() override; 41 void Stop() override; 42 43 void injectArbitrary(FuzzedDataProvider& fdp); 44 ListDependencies(ModuleList * list)45 void ListDependencies(ModuleList* list) const override { 46 list->add<hci::HciLayer>(); 47 } 48 49 static const ModuleFactory Factory; 50 ToString()51 std::string ToString() const override { 52 return "DevNullHci"; 53 } 54 55 private: 56 void injectAclData(std::vector<uint8_t> data); 57 void injectHciCommand(std::vector<uint8_t> data); 58 void injectSecurityCommand(std::vector<uint8_t> data); 59 void injectLeSecurityCommand(std::vector<uint8_t> data); 60 void injectAclConnectionCommand(std::vector<uint8_t> data); 61 void injectLeAclConnectionCommand(std::vector<uint8_t> data); 62 void injectLeAdvertisingCommand(std::vector<uint8_t> data); 63 void injectLeScanningCommand(std::vector<uint8_t> data); 64 65 template <typename TVIEW, typename TBUILDER> inject_command(std::vector<uint8_t> data,CommandInterface<TBUILDER> * interface)66 void inject_command(std::vector<uint8_t> data, CommandInterface<TBUILDER>* interface) { 67 TVIEW commandPacket = TVIEW::FromBytes(data); 68 if (!commandPacket.IsValid()) { 69 return; 70 } 71 72 if (uses_command_status(commandPacket.GetOpCode())) { 73 interface->EnqueueCommand( 74 TBUILDER::FromView(commandPacket), 75 GetHandler()->BindOnce([](CommandStatusView /* status */) {})); 76 } else { 77 interface->EnqueueCommand( 78 TBUILDER::FromView(commandPacket), 79 GetHandler()->BindOnce([](CommandCompleteView /* status */) {})); 80 } 81 } 82 83 hci::HciLayer* hci_ = nullptr; 84 os::fuzz::DevNullQueue<AclView>* aclDevNull_; 85 os::fuzz::FuzzInjectQueue<AclBuilder>* aclInject_; 86 87 SecurityInterface* security_interface_; 88 LeSecurityInterface* le_security_interface_; 89 AclConnectionInterface* acl_connection_interface_; 90 LeAclConnectionInterface* le_acl_connection_interface_; 91 LeAdvertisingInterface* le_advertising_interface_; 92 LeScanningInterface* le_scanning_interface_; 93 DistanceMeasurementInterface* distance_measurement_interface_; 94 }; 95 96 } // namespace fuzz 97 } // namespace hci 98 } // namespace bluetooth 99